Privacy Policy – Attendify Vision (Flutter App & Admin Panel)

Attendify Vision (“App”) and the accompanying Admin Panel (collectively, the “Service”) are operated by Attendify Vision (“we”, “us”, “our”). This policy explains what we collect, how we use it, with whom we share it, retention periods, security, and your rights.

1) Who is responsible (Controller vs. Processor)

Data Controller: The employer that licenses and uses the Service (e.g., your company or client company) is the Controller of employee data.

Service Provider/Processor: Attendify Vision provides hosting and functionality on behalf of the Controller.

How to exercise rights: Employees should contact their employer (Controller). We will support the Controller in fulfilling requests.

2) Scope

• The Flutter mobile app used by employees for attendance (check-in/out), including geofenced verification and on-device liveness/face verification.
• The Admin Panel (web) for authorized admins/managers to manage employees, attendance, roles, rosters, and settings.

3) What we collect

3.1 Account & Profile Data

• Employee identifiers (e.g., ID number, name, designation, date of birth, contact number/email).
• Employer-provided profile photo (face image) uploaded by authorized admins.
• Company information, assignment (contract/location), roster and role data.

3.2 Attendance & Operational Data

• Check-in/out metadata: timestamp, geolocation (lat/long + accuracy), method (e.g., FACE, QR), device/app version, platform, network status (online/offline sync), and the binary match result (pass/fail).
• Geofencing: coordinates and radius defined by the employer to validate presence.
• Supervisor Assist: supervisor ID, assisted check-in metadata and rationale (no face images stored).
• Offline queue: unsent attendance events cached locally until connectivity returns (details only—no biometric templates).

3.3 Device & App Diagnostics

• Device model, OS version, app version, language/locale, network type.
• Device binding (“one device, one account”): we store a hashed device identifier to help prevent unauthorized sign-ins.
• Optional: crash logs/diagnostics if enabled by the Controller (see 6.3).

3.4 Admin Panel Data

• Admin account details (name, email), role/permission level.
• Audit logs: sign-ins, role assignments, edits to employee records, roster changes, and sensitive actions (with timestamp, acting admin, target record).
• Cookies/local storage for session management and user preferences (see 9.2).

3.5 Face Data & Liveness (Important)

• Employer-provided profile photo (face image): Stored in cloud storage to enable identity verification at check-in.
• Live camera frames for liveness & comparison: Processed on-device only and discarded immediately after the match decision.
• Not collected/stored: We do not store facial templates, embeddings, faceprints, facial landmarks, or depth maps. We do not use Apple TrueDepth APIs.

4) How we use data (Purposes)

4.1 Core Operations

• Verify identity at check-in by comparing the live subject to the employer-provided profile photo.
• Confirm liveness to prevent spoofing (blink/head movement).
• Enforce geofenced attendance rules and employer policies.
• Maintain attendance records (storing only pass/fail plus operational metadata—no face images).
• Allow Supervisor Assist and offline check-ins with automatic sync when online.

4.2 Administration & Security

• Authenticate users (employees/admins), manage roles, and authorize actions.
• Create audit trails of admin actions for security and compliance.
• Prevent fraud/abuse (device binding, anomaly checks).
• Provide support and service quality improvements (including aggregated analytics).

4.3 Communication (Optional)

• Operational notifications to admins/employees (e.g., policy changes, urgent incidents) via in-app or push/email where enabled by the Controller.

4.4 What we do not do

• No advertising or third-party marketing use of your data.
• No sale of personal data.
• No model training using your personal or face data.

5) Legal bases (where applicable)

If the GDPR/UK GDPR or similar laws apply, processing may rely on:

• Contractual necessity (e.g., providing the attendance Service).
• Legitimate interests (security, fraud prevention, service improvement).
• Legal obligations (employment/labor compliance requirements).
• Consent where required by local law (e.g., location permissions in mobile OS).

6) Where data is stored & with whom it’s shared

6.1 Primary Processor (Sub-processor)

Google Firebase / Google Cloud (hosting, Authentication, Firestore, Storage, Cloud Functions, Cloud Logging).

• What they store: The profile photo in Firebase Storage; attendance/admin/app data in Firestore/Functions/Logging.
• Why: To provide secure hosting/storage/compute for our Service.
• How long: Aligned with our retention schedule (Section 7). Deletion cascades to Firebase on our instruction.
• Security: TLS in transit; encryption at rest; access controls.

6.2 Other Third Parties

We do not share face images, biometric templates, or personal data with third parties for their independent use. Additional subprocessors (if any) will be listed in an up-to-date Subprocessor List provided to the Controller upon request.

6.3 Optional Services (enable/disable per Controller)

• Crashlytics/Diagnostics: If enabled by the Controller, collects crash and performance metadata (device/OS state at crash, stack traces). No face images or biometric templates.
• Analytics: If enabled, we use aggregate, de-identified operational metrics to improve reliability (no ad identifiers, no cross-site tracking).

7) Retention schedule (how long & why)

The Controller may request different retention settings subject to legal obligations.

8) Face data compliance (explicit statements required by Apple)

• We do not retain live face data used during check-in (Section 7).
• The only stored “face data” is the employer-provided profile photo, retained only while active and deleted within 30 days after deactivation/request.
• No third-party sharing of face images/biometric templates.
• Google Firebase stores the profile photo on our behalf (processor) for the sole purpose of providing storage; it follows our retention schedule and does not use the data for advertising or model training.

9) Cookies, SDKs, and local storage

9.1 Mobile App

• Uses secure local storage for session tokens, offline queue, and preferences. No third-party tracking SDKs for ads.
• Background location is not tracked; location is captured at check-in only (with OS permission prompts).

9.2 Admin Panel (Web)

• Uses strictly necessary cookies/local storage for authentication session, CSRF, and UI preferences.
• No third-party advertising or cross-site tracking cookies.

10) Security

• Encryption in transit (TLS) and at rest.
• Role-based access control (RBAC) with least-privilege principles.
• Admin audit logging, anomaly detection, and periodic access reviews.
• Partitioned data per company (tenant-aware Firestore rules).
• Optional 2FA for admin accounts (recommended).
• Secure key management and regular patching.

11) International transfers

Data may be processed in configured Firebase region(s) (e.g., europe-west / us-central / me-central2) and other locations where Google Cloud operates redundantly. We rely on appropriate safeguards (e.g., Google’s intra-group commitments and standard contractual clauses) when required by law.

12) Your rights

Depending on your jurisdiction (e.g., GDPR/UK GDPR, UAE PDPL, CCPA/CPRA), you may have rights to access, correct, delete, port, or restrict processing of your personal data.

• Employees: contact your employer (Controller). We will support the Controller in fulfilling requests.
• Admins/Visitors to the site: contact us via Section 15.

13) Children

The Service is for workplace use and not intended for children under 16. We do not knowingly collect data from children.

14) Changes to this policy

We may update this policy. Material changes will be communicated to Controllers and posted here with a new Effective Date.

15) Contact us

Attendify Vision
Email: contact@attendifyvision.org
Phone: +971 52 7039720
For employee data rights, please contact your employer first.

Annex A – Role & Admin Panel Specifics

• Role model: owner → manager → admin → employee (customizable).
• Who can view/update what: enforced by Firestore rules and in-app checks.
• Role assignments: only owner/manager (or designated admin) can assign/revoke roles.
• Audit trails: we log who changed what and when (role grants, edits to employee profiles, roster changes).
• Access to face images: profile photos are viewable to authorized admins for legitimate purposes (e.g., identity verification). No export of bulk images is permitted via UI.

Annex B – Mobile Features and Face/Liveness Details

• Face match & liveness: performed on-device; frames are ephemeral and discarded immediately after decision.
• Geofence checks: use GPS coordinates and accuracy to confirm presence; no background tracking.
• Offline mode: queues unsent attendance events locally (metadata only) and syncs when online.
• Supervisor assist: records the assisting supervisor’s ID and reason; does not store any face images.
• One Device One Account: stores a hashed device identifier to prevent unauthorized multi-device logins.

Annex C – App Store “App Privacy” mapping (helper, not legal text)

Data linked to user: Identifiers (employee ID), Contact info, Photos (profile photo), Location (at check-in only), Diagnostics (if enabled), Usage data (admin audit logs) – all for app functionality, account management, fraud prevention, and security.

Not tracked across apps/sites.

Face data: live frames not retained; stored face image is the employer-provided profile photo used solely for identity verification.

This policy is intended to be clear and practical. It does not constitute legal advice.